RogueKiller V9.0.3.0 [Jun 17 2014] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.surlatoile.org/RogueKiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : utilisatuor [Admin rights] Mode : Remove -- Date : 06/19/2014 08:47:32 ¤¤¤ Bad processes : 3 ¤¤¤ [Suspicious.Path] DrvUpdater.exe -- C:\Users\utilisatuor\AppData\Roaming\DRPSu\DrvUpdater.exe[7] -> KILLED [TermProc] [Suspicious.Path] Foxit Reader Updater.exe -- C:\Users\UTILIS~1\AppData\Local\Temp\Foxit Reader Updater.exe[7] -> KILLED [TermProc] [Suspicious.Path] (SVC) tvnserver -- "C:\Windows\securitysvc.exe" -service[7] -> STOPPED ¤¤¤ Registry Entries : 41 ¤¤¤ [Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | PD-Proxy : C:\Users\utilisatuor\AppData\Local\Temp\Rar$EX00.681\PD-Proxy_2.2.0\PD-Launcher.exe [x] -> DELETED [Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | Update Agent : "C:\Windows\update-manager.exe" [x] -> DELETED [Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | tvncontrol : "C:\Windows\securitysvc.exe" -controlservice -slave [x] -> DELETED [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Run | tukboqmyqazu : C:\Users\utilisatuor\tukboqmyqazu.exe [x] -> DELETED [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Run | rihobtomocte : C:\Users\utilisatuor\rihobtomocte.exe [x] -> DELETED [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Run | DrvUpdater : C:\Users\utilisatuor\AppData\Roaming\DRPSu\DrvUpdater.exe /hide [x] -> DELETED [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Run | tukboqmyqazu : C:\Users\utilisatuor\tukboqmyqazu.exe -> ERROR [2] [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Run | rihobtomocte : C:\Users\utilisatuor\rihobtomocte.exe -> ERROR [2] [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Run | DrvUpdater : C:\Users\utilisatuor\AppData\Roaming\DRPSu\DrvUpdater.exe /hide -> ERROR [2] [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\tvnserver -> NOT SELECTED [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\tvnserver -> NOT SELECTED [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\tvnserver -> NOT SELECTED [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : hidedoor.com:80 -> NOT SELECTED [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : hidedoor.com:80 -> NOT SELECTED [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 8.8.8.8 8.8.4.4 -> NOT SELECTED [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2E2220C-8188-4493-A075-A0FA41371C74} | NameServer : 8.8.8.8 0.0.0.0 -> NOT SELECTED [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2E2220C-8188-4493-A075-A0FA41371C74} | DhcpNameServer : 8.8.8.8 0.0.0.0 -> NOT SELECTED [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EEFE5B00-049A-40E1-AB4F-90EA495902AA} | NameServer : 8.8.8.8 0.0.0.0 -> NOT SELECTED [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F0C33FF1-01FE-4474-AFEC-C98DE74AEA59} | DhcpNameServer : 192.168.0.1 192.168.0.1 -> NOT SELECTED [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1263DC4A-56AD-47A2-BACC-C7EBA8E175E6} | DhcpNameServer : 8.8.8.8 8.8.4.4 -> NOT SELECTED [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{91E1EB68-7ED3-4991-B8D0-15683EC176F8} | DhcpNameServer : 8.8.8.8 8.8.4.4 -> NOT SELECTED [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{B2E2220C-8188-4493-A075-A0FA41371C74} | NameServer : 8.8.8.8 0.0.0.0 -> NOT SELECTED [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{B2E2220C-8188-4493-A075-A0FA41371C74} | DhcpNameServer : 8.8.8.8 0.0.0.0 -> NOT SELECTED [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{EEFE5B00-049A-40E1-AB4F-90EA495902AA} | NameServer : 8.8.8.8 0.0.0.0 -> NOT SELECTED [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F0C33FF1-01FE-4474-AFEC-C98DE74AEA59} | DhcpNameServer : 192.168.0.1 192.168.0.1 -> NOT SELECTED [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{B2E2220C-8188-4493-A075-A0FA41371C74} | NameServer : 8.8.8.8 193.251.169.165 -> NOT SELECTED [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{B2E2220C-8188-4493-A075-A0FA41371C74} | DhcpNameServer : 8.8.8.8 193.251.169.165 -> NOT SELECTED [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{EEFE5B00-049A-40E1-AB4F-90EA495902AA} | NameServer : 8.8.8.8 193.251.169.165 -> NOT SELECTED [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{F0C33FF1-01FE-4474-AFEC-C98DE74AEA59} | DhcpNameServer : 192.168.0.1 192.168.0.1 -> NOT SELECTED [PUM.Policies] (X64) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskmgr : 0 -> NOT SELECTED [PUM.Policies] (X64) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> NOT SELECTED [PUM.Policies] (X86) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskmgr : 0 -> NOT SELECTED [PUM.Policies] (X86) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> NOT SELECTED [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0 -> NOT SELECTED [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0 -> NOT SELECTED [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> NOT SELECTED [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> NOT SELECTED [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> NOT SELECTED [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> NOT SELECTED [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> NOT SELECTED [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> NOT SELECTED ¤¤¤ Scheduled tasks : 2 ¤¤¤ [Suspicious.Path] \\{127B5EC1-1114-4894-A265-AB541C07C0E7} -- C:\Users\utilisatuor\Desktop\Super Hyper QCM + de 25000 QCM for DOC-DZ NADJI 85.EXE -> DELETED [Suspicious.Path] \\{BF12D639-8FA0-4B8C-9B53-EE682B4D4992} -- C:\Users\utilisatuor\Desktop\Super Hyper QCM + de 25000 QCM for DOC-DZ NADJI 85.EXE -> DELETED ¤¤¤ Files : 1 ¤¤¤ [Suspicious.Path][File] FCB Fan Alert.lnk -- C:\Users\utilisatuor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FCB Fan Alert.lnk [LNK@] C:\Users\UTILIS~1\AppData\Local\DESKTO~1\303\Ver1\FCBFAN~1.EXE /RunPush -> DELETED ¤¤¤ HOSTS File : 0 [Too big!] ¤¤¤ ¤¤¤ Antirootkit : 0 ¤¤¤ ¤¤¤ Web browsers : 2 ¤¤¤ [PUM.Proxy][FIREFX:Config] yipu3v5n.default-1356641818636 : user_pref("network.proxy.http", "199.167.133.151"); -> NOT SELECTED [PUM.Proxy][FIREFX:Config] yipu3v5n.default-1356641818636 : user_pref("network.proxy.http_port", 80); -> NOT SELECTED ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: WDC WD5000BPVT-60HXZT3 +++++ --- User --- [MBR] ba2059a3ce2eaee0ed6e41a9f3015127 [BSP] 0bc5d8708019a4ad668384545a22a2bd : Windows Vista/7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 199 MB 1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 462555 MB 2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 947722240 | Size: 14081 MB 3 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 976560128 | Size: 103 MB User = LL1 ... OK User = LL2 ... OK ============================================ RKreport_SCN_06192014_084630.log